Attention: macOS code signing!

Arne_Scheffler · September 12, 2019, 11:45am

Hi,
please make sure that if you code sign your plug-ins that the code signature is valid. We now see plug-ins that are signed, but with an invalid code signature which will trigger a crash on load in any hardened runtime enabled host.

To verify that your code signature is valid please run

codesign -v PLUGINPATH

The result should be either no output at all or

code object is not signed at all

Because unsigned code will still be loaded if allowed by the host, but invalid signed code will be rejected.

Cheers,
Arne

M_C · February 22, 2021, 2:53pm

What’s the right option to choose there?

M_C · February 22, 2021, 4:14pm

Could you elaborate how the host would allow that? Is there a way in 2021 with MacOS 11 that allows for unsigned a notarized code to be executed?

Arne_Scheffler · February 22, 2021, 4:38pm

The post was from a time where macOS 11 was not available. For macOS 11 you need to code sign, but you can use “code sign to run locally” or via command line: “codesign - $pathToCodeSign”

M_C · February 22, 2021, 4:51pm

Just to clarify: “code sign to run locally” only allows me to test the code on this local machine, but as soon as I want to give the alpha or beta version to someone else I need to have payed for an Apple Developer license and have someone at Apple notarize my code. Right?

Arne_Scheffler · February 22, 2021, 6:27pm

Yes I think so.

pongasoft · February 23, 2021, 1:51pm

As an author of many free VST plugin it really bites that I will now have to pay $99 a year to Apple just so that my free VST plugins can run on newer Macs. I know this is not VST fault but that still sucks . Apple has finally found a way to make everybody pay even if you don’t publish your app and/or plugins in the store…

WCCharles · March 18, 2021, 10:39am

I believe you want Developer ID Application.

storyofagame · August 23, 2022, 8:59am

Old post but this might still be interesting…

“There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker”

Taken from here: https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/

nborthwick · October 6, 2022, 7:18pm

Just wanted to add to this thread to say that even though code signing is optional on Windows, its highly recommended to sign plugins (and your applications of course).
If you don’t, you risk antivirus programs quarantining your plugins or even causing issues at runtime like slower load.

On Windows you have to pay for a third-party code signing certificate for your company that costs about $500 per year to maintain (less if you buy for more than a year). So, it’s actually more expensive than on Apple.

storyofagame · November 14, 2022, 11:24pm

Way cheaper ← here??